The cloud is fueling an explosion of secure new services, but not every company is equally able to tap into this trend. While identity as a service (IDaaS) and the cloud are changing the game for small and medium businesses, the sheer scale and complexity of the Fortune 1000 enterprise makes it difficult for these long-established companies to reach beyond their borders securely and completely. Their customer bases may cover the globe, but their underlying infrastructures are so complicated -- and their need for security so paramount -- that such companies don't have the agility to navigate into the new services stratosphere.
While smaller organizations can easily outsource their identity infrastructure, why is it so much more difficult for larger companies to reach the cloud? Today's sizable enterprises are facing two diverging trends when it comes to applications and security. First, they are charged with securing more users who are accessing more applications from more places through more devices than ever before. Second, the number of identity data sources and the diversity of representations -- LDAP, AD, SQL, APIs -- are growing at the same rate, which is to say, exponentially.
So much heterogeneity is pushing the boundaries of traditional identity and access management (IAM) beyond the breaking point, at a time when security is becoming increasingly essential -- and difficult to ensure, given today's complex and highly distributed identity systems. All this leads to a classic n-squared problem where companies try to make many hard-coded connections to many different sources, each with its own security protocols and data access requirements The result: costly custom deployments and even greater complexity.
Custom-coded connections between diverse data stores and applications can be very costly.
The good news is that in the domain of security and single sign-on (SSO) across Web and cloud apps, this n-to-n problem is fueling the rapid adoption of federation standards, such as Security Assertion Markup Language (SAML), OAuth, and OpenID Connect. But as many companies are discovering, deploying federation requires more than simply federating the request for access to some "abstract" identity provider.
To make this solution operational requires some form of smart normalization and integration of identity data. This is a big challenge for established companies that are not in a greenfield deployment where identity information exists in a unique, clean, and validated state.
In the ideal world, an identity provider should be able to call a single normalized source of identity for validating a request of authentication. But most Fortune 1000 companies are grappling with fragmented identity infrastructures, where identities and attributes are scattered across different identity data stores. The identity provider is not designed to find users across data silos or sort out protocol differences and user overlap (although there are products that do exactly that). It requires a unified, normalized view of identity against which it can authenticate users, and to issue the appropriate tokens to connect those users to Web or cloud-based applications outside the security perimeter.
Sign up for CIO Asia eNewsletters.